Integrating Linux systems with Active Directory Using Open Source Tools
SCALE 15x
Dmitri Pal Engineering Director, Red Hat, Inc. 03-06-2017 Agenda
● Problem statement ● Aspects of integration ● Integration options ● Recommendations
2 Integrating Linux systems with Active Directory Using Open Source Tools Problem Statement and Aspects of Integration Problem Statement
● For most companies AD is the central hub of the user identity management inside the enterprise ● All systems that AD users can access (including Linux) need (in some way, i.e. directly or indirectly) to have access to AD to perform authentication and identity lookups ● In some cases the AD is the only allowed central authentication server due to compliance requirements ● In some cases DNS is tightly controlled by the Windows side of the enterprise and non Windows systems need to adapt to this
4 Integrating Linux systems with Active Directory Using Open Source Tools Integration Aspects Main aspects
● Identities ○ Where are my users stored? What properties do they have? How is this data made available to systems and applications? How this data is delivered to the right endpoints? Is it cached and how it is refreshed? ● Authentication ○ What credentials do my users use to authenticate? Passwords? Smart Cards? Special devices? Is there SSO? How can the same user access file stores and web applications without requiring re-authentication?
5 Integrating Linux systems with Active Directory Using Open Source Tools Integration Aspects Main aspects, continued
● Access control ○ Which users have access to which systems, services, applications? What commands can they run on those systems? What SELinux context is a user is mapped to? ● Policies ○ What is the type and strength of the credential? What are the SSO ticket/assertion policies? How to express what is allowed and what not in my environment to be compliant with known regulations (PCI, STIG, etc.)?
6 Integrating Linux systems with Active Directory Using Open Source Tools Integration Options Integration options
Direct Integration Indirect Integration
Central Active Active Identity Directory Directory Server
Linux Linux Linux Linux Linux Linux system system system system system system
8 Integrating Linux systems with Active Directory Using Open Source Tools Integration options
Direct Integration
Active Directory
Linux Linux Linux system system system
9 Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration Options
● 3rd party ● Legacy (pam_krb5, pam_ldap, nss_ldap, nslcd) ● Traditional – winbind ● Contemporary – SSSD (with realmd)
10 Integrating Linux systems with Active Directory Using Open Source Tools Third Party Direct Integration
3rd Party Plugin ID mapping is implementation specific Policies via GPO or uses SFU/IMU extensions in AD Active Directory
Linux System
DNS LDAP KDC rd 3 party client Policies
Authentication sudo
Identities HBAC
automount Client may use native AD protocols Name Resolution selinux Authentication can be LDAP or Kerberos ssh keys
11 Integrating Linux systems with Active Directory Using Open Source Tools Third Party Direct Integration Pros and Cons
● Pros ● Everything is managed in one place including policies ● SSO can be accomplished via Kerberos ● Cons ● Requires third party vendor ● Extra cost per system (adds up) ● Limits UNIX/Linux environment independence ● Requires software on AD side ● Policies are not managed or require extra addons
12 Integrating Linux systems with Active Directory Using Open Source Tools Legacy Direct Integration
ID mapping SFU/IMU extensions are in AD Policies are delivered via configuration files and managed locally or via a config server like Ansible AD can be extended to serve basic sudo or Puppet. and automount Active Directory
Linux System
DNS LDAP KDC LDAP/Kerberos Policies
Authentication sudo
Identities HBAC
automount Name Resolution selinux Authentication can be LDAP or Kerberos ssh keys
13 Integrating Linux systems with Active Directory Using Open Source Tools Legacy Direct Integration Pros and Cons
● Pros: ● Free ● No third party vendor is needed ● Intuitive ● LDAP OTP authentication in Azure (have not tried) ● Available on UNIXes ● Cons: ● Requires SFU/IMU AD extension (which are deprecated as of fall 2014) ● Policies are not centrally managed ● Hard to configure securely ● No SSO with OTP
14 Integrating Linux systems with Active Directory Using Open Source Tools Traditional Direct Integration
AD can be extended to serve basic sudo and automount Policies are delivered via configuration files and Can map AD SID to POSIX attributes or use SFU/IMU managed locally or via a config server like Ansible Can join system into AD domain (net join or realmd) or Puppet. Leverages native AD protocols and LDAP/Kerberos Active Directory
Linux System
DNS LDAP KDC Samba Winbind Policies
Authentication sudo
Identities HBAC
automount Name Resolution selinux Authentication can be LDAP, Kerberos or NTLM ssh keys
15 Integrating Linux systems with Active Directory Using Open Source Tools Traditional Direct Integration Pros and Cons
● Pros: ● Well known ● Does not require third party ● Does not require SFU/IMU but can use them ● Supports trusted forests ● Supports NTLM fallback ● Cons: ● Can connect only to AD and very MSFT focused ● Policies are not centrally managed ● No OTP support
16 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Introduction
● SSSD = System Security Services Daemon ● SSSD is a service used to retrieve information from a central identity management system. ● SSSD connects a Linux system to a central identity store: ● Active Directory ● FreeIPA ● Any other directory server ● Provides authentication and access control ● Top technology in the evolution chain of the client side IdM components
17 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Capabilities
● Multiple parallel sources of identity and authentication – domains ● All information is cached locally for offline use ● Remote data center use case ● Laptop or branch office system use case ● Advanced features for: ● FreeIPA integration ● AD integration
18 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Architecture Simplified
SSSD
Identity Server Client PAM Responer Identity Provider
Client Cache Domain Provider
Authentication Provider Authentication NSS Responer Client Server
19 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Why?
● Supports everything that previous UNIX solutions support and more ● Brings architecture to the next level ● Supports multiple sources – domains ● Supports IdM specific features ● Supports trusts between AD and IdM ● Has a feature parity with winbind in core areas and surpasses in some
20 Integrating Linux systems with Active Directory Using Open Source Tools Realmd Couple words
● Component of Linux ● Main goal is to detect domain environment using DNS (detection) ○ AD ○ FreeIPA ○ Kerberos ● Join system to the domain (using SSSD or Winbind) ● Do it in one command or click ● Availability: command line, D-BUS interface, system installer, desktop
21 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Based Direct Integration
AD can be extended to serve basic sudo and automount GPO support for HBAC is available Can map AD SID to POSIX attributes or use SFU/IMU Other policies are delivered via configuration files Can join system into AD domain (realmd) and managed locally or via a config server like Leverages native AD protocols and LDAP/Kerberos Satellite or Puppet. Active Directory
Linux System
DNS LDAP KDC SSSD Policies
Authentication sudo
Identities HBAC
automount Name Resolution selinux Authentication can be LDAP or Kerberos ssh keys
22 Integrating Linux systems with Active Directory Using Open Source Tools SSSD Based Direct Integration Pros and Cons
● Pros: ● Does not require SFU/IMU but can use them ● Can be used with different identity sources ● Support transitive trusts in AD domains and trusts with FreeIPA ● Supports CIFS client and Samba FS integration ● GPO for Windows based HBAC ● Well known now? ● Cons: ● No NTLM support, no support for AD forest trusts ● No SSO with OTP ● Not all policies are centrally managed
23 Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration Option Summary
● Use SSSD - it provides good enough integration out of box, free and well supported ● Use Winbind if you have special cases when NTLM or cross forest trusts are needed (*) ● Use 3rd party if you want super advanced functionality and have extra money ● Do not use legacy setup
24 Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration More information
● Please read my blog :-) ○ http://rhelblog.redhat.com/author/dpalsecam/ ● Comparison: ○ http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options/ ○ It is 2 years old but gives a good foundation
25 Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration Issues
● Policy management is still not fully central ● Might require deprecated extensions on the AD side ● Per system CALs add to cost ● Linux/UNIX administrators do not have control over the environment
26 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM FreeIPA/IdM Introduction
● IdM – Identity Management in Red Hat Enterprise Linux ● Based on FreeIPA open source technology ● IPA stands for Identity, Policy, Audit ● So far we have focused on identities and related policies ● Audit is coming but it is bigger than FreeIPA
28 Integrating Linux systems with Active Directory Using Open Source Tools Problems FreeIPA/IdM Solves
● Central management of authentication and identities for Linux clients ○ Improvement over standalone LDAP/Kerberos/NIS based solutions ○ Simplify management of infrastructure ● Gateway between the Linux/UNIX infrastructure and Active Directory
29 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM High Level Architecture
MIT Kerberos Dogtag Linux
UNIX KDC PKI
CLI/UI
389 DS Bind
LDAP DNS
Admin
30 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM Integration
And more: netgroups, automembership, OTP...
FreeIPA/IdM
Linux System
PKI DNS LDAP KDC SSSD Policies
Authentication sudo
Identities HBAC
automount Name Resolution selinux Authentication can be LDAP or Certificates/Keys Kerberos ssh keys
31 Integrating Linux systems with Active Directory Using Open Source Tools Demo Let us try something risky if we have time and network connectivity!
https://ipa.demo1.freeipa.org/
32 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM Features
● Centralized authentication via Kerberos or LDAP ● Identity management: ○ users, groups, hosts, host groups, netgroups, services ○ user lifecycle management ● Manageability: ○ Simple installation scripts for server and client ○ Rich CLI and web-based user interface ○ Pluggable and extensible framework for UI/CLI ○ Flexible delegation and administrative model ■ Self, delegated, role based; read permissions
33 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM Features Continued
● Host-based access control ● Centrally-managed SUDO ● SSH key management ● Group-based password policies ● Automatic management of private groups ● Can act as NIS server for legacy systems ● Painless password migration ● SELinux user mapping ● Auto-membership for hosts and users ● Serving sets of automount maps to different clients ● Different POSIX data and SSH keys for different sets of hosts
34 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM Features DNS
● DNS is optional but convenient ● Advantages (automation and security): ○ The SRV records get created automatically ○ Host records get created automatically when hosts are added ○ The clients can update their DNS records in a secure way (GSS-TSIG) ○ The admin can delegate management of the zones to whomever he likes ○ Built in DNSSEC support (planned as Tech Preview in RHEL 7.2) ● Disadvantages: ○ You need to delegate a zone
35 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM More Features
● Replication: ○ Supports multi-server deployment based on the multi-master replication (up to 60 replicas) ○ Recommended deployment 2K-3K clients per replica ○ Details depend on the number of data centers and their geo-location ● 2FA ○ Native HOTP/TOTP support with FreeOTP and Yubikey ○ Proxied 2FA authentication over RADIUS for other solutions ○ 2FA for AD users (in works) ● Backup and Restore ● Compatibility with broad set of clients (LINUX/UNIX)
36 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM Features PKI
● CA related capabilities ○ Certificate provisioning for users (new), hosts and services ○ Multiple certificate profiles ○ Sub CAs ● CA deployment types ○ CA-less ○ Chained to other CA ○ Self signed root ● Tool to change deployment type and rotate CA keys ○ Flexibility in deploying CAs on different replicas ● Key store (Vault)
37 Integrating Linux systems with Active Directory Using Open Source Tools Indirect Integration using FreeIPA/IdM Integration options
Indirect Integration
Active FreeIPA Directory IdM
Linux Linux Linux system system system
39 Integrating Linux systems with Active Directory Using Open Source Tools Integration Paths Overview
● User and password synchronization (not recommended) ● Cross forest trusts (recommended)
40 Integrating Linux systems with Active Directory Using Open Source Tools Synchronization Solution Overview
● LDAP level synchronization ● AD is the authoritative source - one way sync ● No group synchronization, only users ● Only one domain can be synchronized ● Single point of failure - sync happens only on one replica ● Limited set of attributes is replicated ● Passwords need to captured and synced ○ Requires a plugin on every AD DC ○ Mismatch of password policies can lead to strange errors
41 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM AD Integration with Trust
FreeIPA/IdM Active Directory
PKI DNS LDAP KDC KDC LDAP DNS PKI
Linux System
SSSD Policies
Authentication sudo
Identities HBAC
automount
Name Resolution selinux
Certificates/Keys ssh keys
42 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM AD Integration with Trust
Chain
FreeIPA/IdM Active Directory
PKI DNS LDAP KDC KDC LDAP DNS PKI
Linux System
SSSD Policies
Authentication sudo
Identities HBAC
automount
Name Resolution selinux
Certificates/Keys ssh keys
43 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM AD Integration with Trust
Delegate Zone FreeIPA/IdM Active Directory
PKI DNS LDAP KDC KDC LDAP DNS PKI
Linux System
SSSD Policies
Authentication sudo
Identities HBAC
automount
Name Resolution selinux
Certificates/Keys ssh keys
44 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM AD Integration with Trust
FreeIPA/IdM Active Directory Cross Forest Trust
PKI DNS LDAP KDC KDC LDAP DNS PKI
Linux System
SSSD Policies
Authentication sudo
Identities HBAC
automount
Name Resolution selinux
Certificates/Keys ssh keys
45 Integrating Linux systems with Active Directory Using Open Source Tools FreeIPA/IdM AD Integration with Trust
FreeIPA/IdM Active Directory
PKI DNS LDAP KDC KDC LDAP DNS PKI
Linux System
SSSD Policies
Authentication sudo
Identities HBAC
automount
Name Resolution selinux
Certificates/Keys ssh keys
46 Integrating Linux systems with Active Directory Using Open Source Tools User Mapping Details
● Can leverage SFU/IMU for POSIX (brown field) ● Can do dynamic mapping of the SIDs to UIDs & GIDs (green field) ● Static override with ID views
47 Integrating Linux systems with Active Directory Using Open Source Tools Trust Details
● Two-way and one-way trust (FreeIPA trusts AD) ○ AD/Samba DC trusting FreeIPA is on the roadmap ● Trust agents (different behavior of different replicas) ● Migration from the sync to trust
48 Integrating Linux systems with Active Directory Using Open Source Tools Trust Based Solution Pros and Cons
● Pros: ○ Free (FreeIPA/IdM is apart of OS) ○ Reduces cost – no CALs or 3rd party ○ Policies are centrally managed ○ Gives control to Linux admins ○ Enabled independent growth of the Linux environment ○ No synchronization required ○ Authentication happens in AD ○ Great tool for troubleshooting AD misconfigurations
49 Integrating Linux systems with Active Directory Using Open Source Tools Trust Based Solution Pros and Cons
● Requirement: ○ Proper DNS setup ● Cons: ○ Separate server
50 Integrating Linux systems with Active Directory Using Open Source Tools Summary
● There are different paths to AD integration: direct or indirect ● SSSD is recommended for direct integration for small environments up to 30-50 systems ● FreeIPA/IdM is recommended for bigger environments where management needs to scale and be automated
51 Integrating Linux systems with Active Directory Using Open Source Tools Questions?
52 Integrating Linux systems with Active Directory Using Open Source Tools THANK YOU!